Small Business? Are You Prepared for Huge Headaches?

PCI-DSSBy Ron Benvenisti for TLS. Last week in “Cash Registers Take Your Money While Stealing Your Identity”, here on TLS, I wrote about businesses being vulnerable to the Backoff malware which allowed hackers to steal Target’s customer’s credit card and other personal information. This was according to a Department of Homeland Security Advisory issued the week before. In the article I mentioned that businesses running the obsolete Windows XP are particularly vulnerable and most systems have not migrated to Windows 7 or 8. I also listed the local Secret Service field offices that businesses should contact if they believe they’ve been hacked or otherwise compromised.

This week I want to go into some more detail about the security requirements that are in effect now and will be strictly enforced by the Payment Card Industry coming in January. The PCI is an association of MasterCard, Visa, American Express and other merchant providers that decide whether you get to accept credit cards or not. Even if you have a bank card from your local or national bank it says Visa or MasterCard. That goes for gift cards too. PCI is in control of what’s in your wallet.

Jan. 1, 2015 is the deadline for compliance with the Payment Card Industry Data Security Standard (PCI DSS) 3.0.

The PCI standard sets security requirements for all companies that access, store or transmit cardholder data (CHD) and personally identifiable information (PII) was published nearly a year ago, on Nov. 7, 2013, and has technically been in effect for all of this year (2014).

The now infamous Target breach was one of the largest breaches in history. 40 million credit card numbers and 70 million personal information records . This was last December, less than one month after the latest standard was released.

Small businesses must be prepared.

P.F. Chang’s restaurant chain was hacked from Oct. 19, 2013, until June 11, 2014! Goodwill Industries International Thrift Stores and Supervalu, owner of hundreds of grocery and liquor stores, have been successfully hacked. Add to the list, lesser known but high impact breaches at Albertsons, Acme, Jewel-Osco, Shaw’s, A.C. Moore, Star Market and those we don’t know about (possibly even yours).

Bob Russo, general manager at the PCI Security Standards Council (SSC), which develops and publishes the standards, describes the situation much better than I could. Bob has some sympathy for Target which I don’t share. Target actually knew it was happening but did nothing about it.

He gets up close and personal when he says he has multiple layers of security at his three-family home in New York City. “We checked all the boxes,” he said. Yet, at 5 a.m. one morning, “somebody pranced in and walked out with laptop. Thankfully it was encrypted,” he said. “But how did that happen? We forgot to do something the night before.” And that, he said, is the point: Security standards can only be effective if a company is in compliance all the time. That comports with a long-time mantra of security experts, that “compliance is not security,” especially when companies scramble to meet compliance standards for a yearly audit, but then let things slide until the next audit is approaching.

Some of the SMBs (Small and Medium Businesses) don’t know which end is up,” he said. His strong terms are supported by the Verizon Business 2014 PCI report where only 10 percent of companies are passing their baseline assessment. That is if they have performed an assessment at all.

Full compliance will not be easy or cheap for smaller companies, but the alternative could be a lot more expensive or even fatal to the business.

Smaller companies need to take seriously the damage that a high-profile breach can cause.

Russo said he hopes that fear will motivate companies to improve their security. “There are ways to prevent these things,” he said. “When details of breaches come out, they show that most of them were caused by very simple mistakes, like default passwords.”

That, he said, is neither difficult nor expensive to change. It just takes a different mindset. “I lock my car door every day, not just Monday, Wednesday and Friday,” he said.

In case our local businesses have not considered the seriousness of the compliance, here are the twelve basic PCI DSS requirements:

The PCI Data Security Standard has 12 requirements to provide a “baseline of technical and operational requirements designed to protect cardholder data.” They are as follows:

Build and Maintain a Secure Network and Systems

1. Install and maintain a firewall configuration to protect cardholder data

2. Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

3. Protect stored cardholder data

4. Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

5. Protect all systems against malware and regularly update anti-virus software or programs

6. Develop and maintain secure systems and applications

Implement Strong Access Control Measures

7. Restrict access to cardholder data by business need to know

8. Identify and authenticate access to system components

9. Restrict physical access to cardholder data

Regularly Monitor and Test Networks

10. Track and monitor all access to network resources and cardholder data

11. Regularly test security systems and processes

Maintain an Information Security Policy

12. Maintain a policy that addresses information security for all personnel

You can download the Merchant Attestation of Compliance here, entire Standard here, and the reporting Template here.

Ron Benvenisti 

This content, and any other content on TLS, may not be republished or reproduced without prior permission from TLS. Copying or reproducing our content is both against the law and against Halacha. To inquire about using our content, including videos or photos, email us at [email protected].

Stay up to date with our news alerts by following us on Twitter, Instagram and Facebook.

**Click here to join over 20,000 receiving our Whatsapp Status updates!**

**Click here to join the official TLS WhatsApp Community!**

Got a news tip? Email us at [email protected], Text 415-857-2667, or WhatsApp 609-661-8668.


Comments are closed.